an eﬃcient intruder detection algorithm against sinkhole ...user.it.uu.se/~eding810/journals/an...

www.elsevier.com/locate/comcom

Computer Communications 30 (2007) 2353–2364

An efficient intruder detection algorithm againstsinkhole attacks in wireless sensor networks

Edith C.H. Ngai a, Jiangchuan Liu b,*, Michael R. Lyu a

a Department of Computer Science and Engineering, The Chinese University of Hong Kong, Hong Kongb School of Computing Science, Simon Fraser University, Burnaby, BC, Canada V5A 1S6

Available online 6 May 2007

Abstract

In a wireless sensor network, multiple nodes would send sensor readings to a base station for further processing. It is known that sucha many-to-one communication is highly vulnerable to a sinkhole attack, where an intruder attracts surrounding nodes with unfaithfulrouting information, and then performs selective forwarding or alters the data passing through it. A sinkhole attack forms a seriousthreat to sensor networks, particularly considering that the sensor nodes are often deployed in open areas and of weak computationand battery power.

In this paper, we present a novel algorithm for detecting the intruder in a sinkhole attack. The algorithm first finds a list of suspectednodes through checking data consistency, and then effectively identifies the intruder in the list through analyzing the network flow infor-mation. The algorithm is also robust to deal with multiple malicious nodes that cooperatively hide the real intruder. We have evaluatedthe performance of the proposed algorithm through both numerical analysis and simulations, which confirmed the effectiveness and accu-racy of the algorithm. Our results also suggest that its communication and computation overheads are reasonably low for wireless sensornetworks.� 2007 Elsevier B.V. All rights reserved.

Keywords: Wireless sensor network; Sinkhole attack; Intruder detection; Intruder identification

1. Introduction

A wireless sensor network (WSN) consists of a set ofgeographically distributed sensor nodes, which continu-ously monitor their surroundings and forward the sensingdata to a base station (referred to as a sink) throughmulti-hop routing. It has become increasingly popular insolving such challenging real-world problem as geographi-cal sensing and environmental monitoring.

Given the importance of the sensed data, various attackshave targeted sensor networks [1,2]. While some of theattacks are common in different types of networks, themany-to-one communication pattern between the sensorsand the sink poses unique challenges [3–5]. A typical exam-

0140-3664/$ - see front matter � 2007 Elsevier B.V. All rights reserved.

doi:10.1016/j.comcom.2007.04.025

* Corresponding author. Tel.: +1 604 291 4336; fax: +1 604 291 3045.E-mail addresses: [email protected] (E.C.H. Ngai), [email protected].

ca (J. Liu), [email protected] (M.R. Lyu).

ple is the sinkhole attack, where an intruder attracts sur-rounding nodes with unfaithful routing information, andthen alters the data passing through it or performs selectiveforwarding [1,6,7]. The sinkhole attack prevents the basestation from obtaining complete and correct sensing data,and thus leads to a serious threat. It is particularly severefor wireless sensor networks given that the wireless linksare vulnerable and the sensors are often deployed in openareas with weak computation and battery power. The exist-ing routing protocols in sensor networks are generally sus-ceptible to the sinkhole attack [1,8–10]. Although somesecure mechanisms are proposed and make use of crypto-graphic techniques to protect network traffic [11–14], theyare often localized, or suffer from high computation over-heads and require time synchronization among the nodes.

In this paper, we propose a novel lightweight algorithmfor detecting the sinkhole attack and identifying the intru-der involved. We deviate from the traditional strategy of

mailto:[email protected]

mailto:[email protected]. ca

mailto:[email protected]. ca

mailto:[email protected]

2354 E.C.H. Ngai et al. / Computer Communications 30 (2007) 2353–2364

defending against an attack using cryptography; instead,we first detect the attack by observing the network flowinformation, and then identify the intruder and maliciousnodes, which can later be isolated to protect the network.

We focus on a general many-to-one communicationmodel, where the routes are established based on the recep-tion of route advertisements. Our solution explores theasymmetricity between the sensor nodes and the base sta-tion, and makes effective use of the relatively-high compu-tation and communication power of the base station[1,15,16]. It consists of two major parts: First, a secureand low-overhead algorithm for the base station to collectthe network flow information from the attacked area; Sec-ond, an efficient identification algorithm that analyzes therouting pattern and locates the intruder. We also considerthe complex scenario with colluding nodes that coopera-tively cheat the base station about the intruder location.Specifically, we examine multiple suspicious nodes andidentify the intruder with a voting method. We show thatthe solution is correct as long as the normal nodes aredominant.

The performance of the proposed algorithm is evaluatedthrough simulations, which confirm the effectiveness andaccuracy of the algorithm. Our results also suggest thatits communication and computation overheads are reason-ably low for wireless sensor networks.

The remainder of this paper is organized as follows. Sec-tion 2 presents the related work. In Section 3, we formallydescribe the sinkhole attack in wireless sensor networks,and state the problem to be solved. In Section 4, we presentour 2-step detection algorithm, which collects network flowinformation and identifies the intruder. In Section 5, weenhance the algorithm to handle multiple malicious nodesand prove its correctness. The performance of the proposedalgorithm is further evaluated in Sections 6 through simu-lations. Finally, Section 7 concludes this paper and offerssome future research directions.

2. Related work

Intrusion detection has long been an active researchtopic in the Internet evolution [17]. Recently, manydetection algorithms have been proposed for wirelessad hoc networks as well. Most of them assume uniformnodes and symmetric data communication patternsbetween the nodes [7,18,19]. The one-to-many communi-cation pattern in wireless sensor networks however posesdifferent challenges, in particular, the sinkhole attack.The weaker computation and battery power of the sensornodes further aggravates the problem. Pirzada et al. [20]applied a trust scheme to the routing protocol to detectsinkhole and wormhole attacks in a sensor network,but it requires the nodes to operate in a promiscuousmode. Hu et al. [21] introduced packet leash, which con-fides the maximum transmission time and distance ofeach packet. It assumes that a node can obtain a keyfor any other node and authentication is applied to each

data packet. On the contrary, our work does not requirethe nodes to support promiscuous mode nor authenticateevery data packet.

Our work is also motivated by the existing studies onfiltering false reports or avoiding jammed/failed nodes insensor networks. Specifically, Doumit and Agrawal [22]showed a self-organized criticality (SOC) and HiddenMarkov models based algorithm, which can effectivelydetect data inconsistencies in sensor networks. Woodet al. [23] proposed a mechanism for detecting and map-ping jammed regions. They described a protocol for iden-tifying the surrounding nodes of a jammer, thus avoidingthe broken links and congested nodes in the region.Staddon et al. [24] demonstrated that the topology ofthe network could be efficiently conveyed to the base sta-tion, allowing for quick tracing of failed nodes withmoderate communication overhead. Ding et al. [25] fur-ther proposed a localized algorithm for identifying faultysensors. Ye et al. [26] presented a Statistical En-routeFiltering (SEF) mechanism for detecting and droppingfalse reports. It integrates multiple authentication codes,probabilistic verification, and data filtering to determinethe truthfulness of each report. Our work differs fromthem in that we focus on sinkhole attacks, where theintruder and multiple malicious nodes actively disturbthe one-to-many data communications or even interferethe identification algorithm itself.

3. Network model and problem statement

We consider a wireless sensor network that consists of abase station (BS) and a collection of geographically distrib-uted sensor nodes, each denoted by a unique identifier IDv.The sensor nodes continuously collect and forward thesensed environmental data to the base station in a multi-hop fashion.

As mentioned earlier, this commonly used many-to-onecommunication pattern is vulnerable to sinkhole attacks.In this type of attack, an intruder usually attracts networktraffic by advertising itself as having the shortest path tothe base station. For example, as shown in Fig. 1a, anintruder, which is equipped with much higher computationand communication power than a normal sensor node, cre-ates a high-quality single-hop link to the BS. It can thenadvertise imitated routing messages about the high qualityroute, spoofing the surrounding nodes to create a sinkhole(SH). A sinkhole can also be performed using a wormhole[27], which creates a metaphorical sinkhole with the intru-der being the center; the intruder then relays the messagesreceived in one part of the network toward the sink using atunnel (see Fig. 1b).

We assume the sensor nodes are either normal or mali-

cious. The center of a sinkhole attack is a malicious nodecompromised by the intruder. Note that, even if there isonly one compromised node, it can affect many surround-ing normal nodes by creating a high quality route to thebase station. Furthermore, this intruder may also collude

Fig. 1. Two examples of sinkhole attack in wireless sensor networks. (a) Using an artificial high quality route; (b) using a wormhole.

E.C.H. Ngai et al. / Computer Communications 30 (2007) 2353–2364 2355

with some other malicious nodes. They could even collab-oratively cheat the detection algorithm by suggesting a nor-mal node as the intruder (the victim, denoted as SH 0).

The focus of our work is to effectively identify the realintruder (SH) in the sinkhole attack. Once it is identified,a routing protocol or a higher-layer application caneasily isolate the intruder from the network to avoid fur-ther loss. We assume that the base station is physicallyprotected or has tamper-robust hardware [15]; hence, itacts as a central trusted authority in our algorithmdesign. The base station also has a rough understandingon the location of nodes, which could be availableafter the node deployment stage or obtained by variouslocalization mechanisms [28]. For ease of exposition, inTable 1, we list the major notations used throughout thispaper.

4. Intruder detection for sinkhole attack

We now describe our algorithm for detecting a sinkholeattack, and then efficiently identifying the intruder. We firstfocus on the case of a single malicious node only, i.e., theintruder (SH). We assume that, in this simple scenario,the SH will affect sensor data collection, but will not inter-fere the detection algorithm through dropping or altering

Table 1List of notation

BS Base stationSH Real intruder in the sinkhole attackSH0 False intruder (victim) in the sinkhole attackIDv Identity of sensor node v

p Probability of a node being maliciousd Packet drop ratek No. of neighbors to which a message will be forwardedhmax Hops from the farthest node to the BS

hrc Hops from the BS where root correction takes placel Levels from the BS in the tree of network flowtl Number of nodes at level l

N Total number of nodes in the attacked areaFr Number of correct network flow information collectedFm Number of incorrect network flow information collectedFs Number of missing network flow informationFn Total number of network flow information collected

the control messages. In the next section, we will presentenhancements dealing with multiple malicious nodes thatcollude and even interfere the detection algorithm.

4.1. Estimating the attacked area

In a sinkhole attack, the intruder can drop, alter, orselectively forward the sensing data. The BS can suspectthe existence of an attack through various statistical orapplication-specific data analysis. The sensors, which areclosely located, are expected to have similar readings fromthe environment. We divide the network into a number ofsub-areas and compare the data within each of them. TheBS can detect the attack by finding the inconsistent databetween the normal sensors and attacked sensors in thesub-areas. It can also detect the missing data from theattacked sensors and identify the attacked area. Sincethe area affected by the attack is limited in size, it isimpossible for an intruder to alter the data from all thesensors in the network. Thus, the attack must be detectedin some of the sub-areas.

For illustration, consider a monitoring application inwhich sensor nodes submit data to the BS periodically.Let X1, . . . ,Xn be the sensing data collected in a sliding win-dow, and X be their mean. Define f(Xj) as,

f ðX jÞ ¼

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiðX j � X Þ2

X

s:

A simple measure for identifying a suspected node iswhether f(Xj) is greater than a certain threshold, for thedata from this node is noticeably inconsistent with othersin the same area. More advanced statistical methods canbe found in [29,30].

After identifying a list of suspected nodes, the BS canestimate where the sinkhole locates. Specifically, it can cir-cle a potential attacked area, which contains all the sus-pected nodes. An example is shown in Fig. 2, where theshaded nodes are found to contain missing or inconsistentdata. Note that all the nodes in the circle could be attractedby the sinkhole sooner or later, and we thus refer to themas affected nodes.

BS

SH

Nodes with missingor inconsistent data

Fig. 2. Estimate the attacked area.


4.2. Identifying the intruder

Since the attacked area may contain many nodes, andthe sinkhole is not necessarily the center of the area in amulti-hop sensor network, it is necessary to further locatethe exact intruder and isolate it from the network. Thiscan be achieved through analyzing the routing pattern inthe affected area.

We now demonstrate a method for collecting the net-work flow information, which facilitates the routing pat-tern analysis. First, the BS sends a request message to thenetwork. The message contains the IDs of the affectednodes, and is flooded hop by hop. For each node receivingthe request, if its ID is there, it should respond to the BS

with a message, which includes its own ID, the ID of thenext-hop node, and the cost for routing, e.g, hop-countto the BS. Note that the next-hop and the cost couldalready be affected by the attack; hence, the response mes-sage should be transmitted along the reverse path in theflooding, which corresponds to the original route with nointruder.

BS

SH

Fig. 3. Network flow in the attacked area.

At the BS, each piece of network flow information canbe represented by a directed edge, a!ct

b, where a denotesan affected node, b denotes the next hop of a, and ct isthe cost from a to the BS. The BS can then visualize therouting pattern by constructing a tree using the collectednext hop information. Note that the area invaded by asinkhole attack has a special routing pattern, where all net-work traffic flows toward the same destination, that is, theintruder SH. As shown in Fig. 3, once the tree is con-structed, the BS can easily identify the SH, which is exactlythe root of the tree in this single malicious node case.

5. Enhancements against multiple malicious nodes

As mentioned before, there could be multiple maliciousnodes that prevent the BS from obtaining correct and com-plete flow information for intruder detection. Specifically,they may cooperate with the intruder to perform the fol-lowing misbehaviors:

1. Forward the response messages selectively or even dropall (denial of service);

2. Modify the response messages passing through; and3. Respond with false network flow information of itself.

In this section, we present effective enhancements thataddress these problems.

5.1. Dealing with dropped flow information

Malicious nodes may drop the response messages of net-work flow information, as shown in Fig. 4a. To mitigate theproblem, the sensors can forward the information to the BS

through multiple redundant paths. Specifically, a node canforward reply messages to k neighbors, k P 1. Let p be theprobability that a node is malicious, hmax be the number ofhops from the farthest node to the BS, and the number ofnodes in level l (i.e., hop count of l to the BS) be tl. For uni-formly distributed sensors, tl can be estimated as

tl ¼ ½ðlRÞ2p� ðl� 1Þ2R2p� � D ¼ ð2l� 1ÞR2p � D;

where R is the transmission range, and D is the sensor dis-tribution density.

Consider the extreme case in which a malicious nodedoes not generate a response and drops any responses pass-ing by, the probability that the response message from anode at level l reaches the BS is (1 � p)(1 � pk)l�1. Thus,the expected number of responses reaching the BS is

n ¼Xhmax

l¼1

ð1� pÞð1� pkÞl�1tl:

As an example, for p = 0.1, k = 2, hmax = 5, R = 10 m,D = 0.01 node/m2, we have n = 67.73. That is, on average,67.73 responses will reach the BS. Such a result is reason-ably good, given that the total number of normal nodesis around 78 in this setting.

BS

SHColluding nodes

SH

3

3

3

3

3

3

3

2

33

3

2

21A

SH

SH

C

D

E

F

G H

a bFig. 4. Attacked area with colluding nodes. (a) Dropping responses; (b) providing false responses.


Since there are still losses of the responses, the tree to beconstructed based on the network flow information mightbe broken into several subtrees. Algorithm 1 shows a pro-cedure to construct these trees, and the intruder is clearly inthe tree with direct connection to the BS.

In some extreme cases, the malicious nodes may performdenial of service attacks. They may refuse to reply anddrop all the messages passing through. However, this kindof attacks can be easily detected, as the information fromthe same area is completely lost.

Algorithm 1. Identify multiple subtrees

R = / /*R: set of subtrees*/for each v 2 S /*S: set of nodes in the attacked area*/

if v has no incoming edgeR = R [ FindSubtree(v)

end for

subroutine FindSubtree(node u)R 0 = /if u is not yet visited

mark u is visitedelse

return /if u has no outgoing edge

return {u}for each e(u,v)

R 0 = R 0 [ FindSubtree(v)end for

return R 0

end FindSubtree

5.2. Dealing with tampered or false flow information

In the process for collecting the network flow informa-tion, the malicious nodes could even tamper the responsespassing by or generate false responses. The receiver thushas to protect the reply message, so as to prevent anattacker from forging the network flow information. To thisend, we assume every node v shares a secret key Kv with the

BS, which they use in conjunction with a message authenti-cation code (MAC) function (for example HMAC [31]) toauthenticate control messages. This key can be loaded tothe node through a pre-distribution protocol, e.g., that in[32]. To send a reply message R, v actually sends ÆR,MACKv(R)æ to BS, where the notation MACKv(R) is theMAC message authentication code computed over messageR with key Kv. MAC message authentication code is a shortpiece of information used to authenticate a message. AnMAC algorithm accepts a secret key and an arbitrary-length message to be authenticated as input, and outputsan MAC (sometimes also known as a tag). Although theencryption process for generating the MAC imposes addi-tional calculations to the sensors and the base station, theoverhead is affordable with the existing lightweight symmet-ric encryption algorithms. Recent studies have shown thatsymmetric encryption and hashing function schemes canbe efficiently implemented in various small sensing devices[33,34]. The code sizes in some of these algorithms, likeRC4 and RC5, are very small. They are suitable for thelow-cost processors in sensors which lack large amountsof program memory. When BS receives this message, itcan verify the authenticity of the message by comparingthe received MAC value to the MAC that it computes foritself over the received message with Kv. More importantly,the encryption applies to the responses, whose volume ismuch smaller than that of the normal data traffic.

The encryption, however, cannot solve the problem thatthe malicious nodes themselves provide false responses tohide the real SH. As shown in Fig. 4b, two colluding nodesA and C, together with the real SH, suggest outgoing edgesto a victim node SH 0. To deal with this problem, the BS

can detect the inconsistency among the hop count informa-tion. For instance, we can see that the incoming edges ofthe SH 0 have different number of hop counts, which is sus-picious because the nodes sending messages via the samenext hop should have the same hop counts to the BS. Alsonote that the malicious nodes D, E, and F have identical

2

3

2

3

3

34

4

4 4

4

4

34

2 3

3

4

4

344

3

4

4

3

2

21A

SH

SH

2

3

2

3

3

34

4

4 4

4

4

34

2 3

3

4

4

344

3

4

4

3

2

21A

SH

SH

Correct informationMissing informationWrong informationRoot correction

Fig. 5. Example of intruder identification with multiple malicious nodes.


hop counts in their incoming and outgoing edges, which isagain abnormal. In our algorithm, we calculate the differ-ence between the hop counts provided by a node and thenumber of edges from the node to the current root. Wethen identify the SH and other suspicious nodes by spot-ting the inconsistency of the hop counts.

To this end, we maintain an array Count, where the i-thentry stores the total number of nodes having hop countdifference i. Note that index i can be negative, which indi-cates that the hop count provided by a node is smaller thanits actual distance from the current root. Intuitively, ifCount[0] is not the dominated one in the array, it meansthe current root is unlikely the real intruder. Through ana-lyzing the array Count, we can estimate the hop countsfrom the SH 0 to the SH. For example, if most non-zeroentries of Count fall in the index range [�2,2], we suspectthat the SH is two hops away from the SH 0, which is thecurrent root. Given this estimation, the BS can make rootcorrection and re-calculate the entries of Count for thosenodes within two hops from the SH 0. After several itera-tions, it can conclude the intruder if a majority of the nodesagree with a consistent result. A formal description of theabove procedure can be found in Algorithm 2.

As an example, consider the attacked area in Fig. 5a,where the node SH 0 is the original root of the network flowtree, and its array Count is as follow,

i �2 �1 0 1 2
Count[i] 0 14 8 6 0
Algorithm 2. Find the real intruder with root corrections

for each root r

initialize a new Array count[]initialize a new Path correctPath

checkRootByCount(r, count, 1)S = {x > 0jforall y > 0,count[x] + count[�x] > count[y] + count[�y]}x = min(S)correctRoot(r, r, x, 0, correctPath, count[0])apply correctPath on Network G

end for

subroutine checkRootByCount (Node r, Array count[], int depth)depth = depth +1for each precedent Node c of r

increase count[hop_count(c) – depth] by 1checkRootByCount (c, count, depth)

end for

end checkRootByCount

subroutine correctRoot (Node r, Path p, int totalLevel, int currentLevel,

Path correctPath, int bestCount)if (currentLevel >= totalLevel)

return

end if

currentLevel = currentLevel+1for each precedent node c of r

initialize a new array count[]reverse edge (c,r)checkRootByCount (c, count, 1)

if (count[0] > bestCount)correctPath = p � >c

bestCount = count[0]end if

correctRoot (c, p � >c, totalLevel, currentLevel, correctPath,

bestCount)reverse edge (c,r)

end for

end correctRoot

It shows that only 8 nodes agree that the SH 0 is theintruder. However, 14 nodes do not agree with it. Instead,they suggest that the SH should be one hop closer to theBS than the node SH 0. Since they are the majority, our cor-rection algorithm runs again to look for a new root. Afterthat, the node SH becomes the new root (Fig. 5b), and thecorresponding Count[] becomes,

i �2 �1 0 1 2
Count[i] 0 1 21 6 0
We can see that 21 nodes provide consistent informationabout the current root SH. Since the value of Count[0] isthe majority, the SH is concluded as the intruder.

Table 2Parameter settings of the experiments

Number of nodes of network 400Size of network 200 m · 200 mTransmission range 10 mLocation of BS (100,100)Location of sinkhole (50,50)Percentage of malicious nodes m

Percentage of colluding nodes mc

Message drop rate (d) 0–80%No. of neighbors which a message is forwarded to (k) 1–2Packet size 30 bytesMax. number of reply messages per packet 5

98

98.5

99

99.5

100

0 5 10 15 20

Suc

cess

rat

e (%

)

Ratio of colluding nodes (%)

d=0d=0.2d=0.4d=0.6d=0.8

Fig. 6. Success rate in intruder identification (m = 20%).


The time complexity for calculating array count is O(N),and that for correcting the roots is

Phrc

l¼1tl � N ¼ Oðthrc � NÞ.Here, hrc is the average number of hops where a root cor-rection will take place, which can be estimated from count[]and is in general quite small. The total time is thusOðNÞ þ OðNÞ þ Oðthrc � NÞ ¼ Oðthrc � NÞ, which is relativelylow.

5.3. Proof of correctness

We now give a simple analysis on the correctness of theabove algorithm. We assume that N is the number of nodesin the attacked area, namely, N = Fn + Fs = (Fm + Fr) +Fs.

Property: For any Fm, our sinkhole detection algorithmworks if there are more than 2Fm sensors reporting theirnetwork flow information successfully to the BS and atmost Fm are malicious among them.

Proof. Since there are more than 2Fm sensors successfullyreporting their network flow information, we haveFn > 2Fm, and consequently Fr > Fm. In the worst case, allthe Fm malicious sensors are colluding and suggestingvictim SH 0 as the intruder. Yet, Fr normal sensors willsuggest SH, the real intruder, and the number of thesenodes (Fr) is greater than the malicious nodes (Fm). Hence,our algorithm can correctly identify the real intruderthrough the majority vote.

Our algorithm might not work if Fn 6 2Fm and the mali-cious nodes are all colluding. Nevertheless, it unlikely hap-pens in most sensor networks, where a majority of sensorsshould be in normal condition.

6. Performance evaluation

We further evaluate the performance of our sinkholedetection algorithm through simulations. We simulate awireless sensor network with a 200 meter by 200 meter fieldin which 400 nodes are placed with uniform random distri-bution. The sensors adopt IEEE 802.11 MAC protocolwith radio range of 10 meter. A base station is placed atthe center of the network to collect data from the sensors.Moreover, a sinkhole is added to the network at x- andy-coordinates (50, 50) for emulating a sinkhole attack. Weare interested in evaluating the accuracy on intruder iden-tification, communication overhead, and energy consump-tion of our intruder detection algorithm. Table 2 shows thedefault environment settings of our implementation,mostly adapted from [23,26].

6.1. Accuracy of intruder identification

In the first set of experiments, we investigate the accu-racy of our intruder detection algorithm for sinkholeattacks. We focus on the following three measures: (1) suc-cess rate, which is the percentage that our algorithm cancorrectly identify the SH; (2) false-positive rate, which is

the percentage that our algorithm incorrectly identifiesthe SH; and (3) false-negative rate, which is the percentagethat our algorithm is not able to identify any intruder but itdoes exist.

We first consider a mildly hostile environment in which20% nodes are malicious. For those networks with lessmalicious nodes or even one (the intruder itself) only, theresults are even better. We vary the ratio of colluding nodesfrom 0% to 20% of the total nodes in the network. Whenthe ratio is 20%, all the malicious nodes are colluding withthe intruder; for the ratios lower than 20%, a maliciousnode might randomly drop response messages only butwould not collaborate with the intruder to provide mislead-ing routing information, if it is not a colluding node. Fig. 6shows that the success rates for dropping rates of 0, 0.2,0.4, 0.6 and 0.8, respectively. For the zero dropping rateat the malicious nodes, we can see that the success ratesare 100%. Also the corresponding false-positive andfalse-negative rates are zero, as shown in Figs. 7 and 8,respectively. This is because the number of correct routinginformation pieces is much more than that of the incorrectones in this scenario, and the intruder can always be iden-tified through routing pattern analysis and majority vote.When the drop rate increases, however, the success rate

0

0.5

1

1.5

2

0 5 10 15 20

Fal

se-p

ositi

ve r

ate

(%)


d=0d=0.2d=0.4d=0.6d=0.8

Fig. 7. False-positive rate in intruder identification (m = 20%).

0

0.5

1

1.5

2

0 5 10 15 20

Fal

se-n

egat

ive

rate

(%

)


d=0d=0.2d=0.4d=0.6d=0.8

Fig. 8. False-negative rate in intruder identification (m = 20%).

0

20

40

60

80

100

0 5 10 15 20 25 30 35 40 45 50

Suc

cess

rat

e (%

)


d=0d=0.2d=0.4d=0.6d=0.8


0

20

40

60

80

100

0 5 10 15 20 25 30 35 40 45 50

Fal

se-p

ositi

ve r

ate

(%)


d=0d=0.2d=0.4d=0.6d=0.8


0

20

40

60

80

100

0 5 10 15 20 25 30 35 40 45 50

Fal

se-n

egat

ive

rate

(%

)


d=0d=0.2d=0.4d=0.6d=0.8



slightly decreases. Intuitively, when the malicious nodesrandomly drop a lot of responses, it is possible that the cor-rect information pieces become less than the incorrect ones,which leads to lower success rate, and, not surprisingly,higher false-positive and false-negative rates. Nevertheless,the change is quite minor, even with a dropping rate of80%. Such results suggest that our algorithm works wellunder a normally hostile environment.

Given the above results, it is clear that for less than 20%malicious nodes, our intrusion detection algorithm can beeven more effective. We are thus more interested in its per-formance with other extreme hostile environments. To thisend, we repeat the above experiments for m = 50% and80%, that is, more than half of the nodes are malicious.We again vary the ratio of the colluding nodes (with upperbounds of 50% and 80%, respectively). The correspondingresults are shown in Figs. 9–14. For m = 50%, the success,false-positive, and false-negative rates have similar trends

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80

Suc

cess

rat

e (%

)


d=0d=0.2d=0.4d=0.6d=0.8


0

20

40

60

80

100

0 10 20 30 40 50 60 70 80

Fal

se-p

ositi

ve r

ate

(%)


d=0d=0.2d=0.4d=0.6d=0.8


0

20

40

60

80

100

0 10 20 30 40 50 60 70 80

Fal

se-n

egat

ive

rate

(%

)


d=0d=0.2d=0.4d=0.6d=0.8


0

5

10

15

20

0 1 2 3 4 5 6 7

Pac

kets

per

nod

e

Hops to base station

packet receive (k=1)packet receive (k=2)

packet send (k=1)packet send (k=2)

Fig. 15. Communication cost for intrusion detection.


as those with m = 20%. Though the results are generallyworse, they are still acceptable. It is worth noting that someof the curves are not monotonic, e.g., Fig. 11 (false-nega-tive rates), when the ratio of colluding nodes is around40%. This is mainly due to the random drops by the mali-cious nodes.

For m = 80%, the performance of our detection is gen-erally unacceptable, because the malicious nodes becomedominating in the network. Also note that the trends ofthe curves in this case are often the inverse of that in theprevious two cases. For example, the success rate is thehighest with a dropping rate of 0.8, and the false-negativerate decreases with increasing the ratio of colluding nodes.The reason again is because the misbehaved nodes domi-nate the network. Nevertheless, we do not expect anydetection algorithms would work well in such an extremeenvironment.

6.2. Communication cost

In this experiment, we evaluated the communicationoverhead of our algorithm. Fig. 15 shows the numberof packets sent or received by nodes of different hopsto the BS. We can see that the nodes closer to the BS

have higher overheads. This is because most of the com-munication overhead is incurred in collecting the net-work flow information, and, in this process, a nodecloser to the BS has to relay more messages. Note that,however, the BS (0 hop) sends one request messagesonly, and does not have to relay response messages.The figure also shows the overhead when path redun-dancy is introduced for responses, where k representsthe number of neighbors to which a message will be for-warded. Clearly, the larger the value of k is, the less the

Table 3Parameters of energy consumption

Communication circuit power 5 · 10�8 J/bitCommunication antenna power 1 · 10�10 J/bit/m2

Encryption and MAC computation 3 · 10�9 J/bit

0

100

200

300

400

500

600

700

800

900

1000

1 2 3 4 5 6 7

Ene

rgy

cons

umpt

ion

per n

ode

(uJ)

Hops to base station

k=1k=2

Fig. 16. Energy consumption for intruder identification.


network flow information will be dropped by maliciousnodes. Yet, our experiment shows that, when k = 2, theoverhead is reasonably low while a good delivering ratiocan be expected. In addition, for the nodes that are faraway from the attacked area (in Fig. 15, those of sixor more hop counts), their communication overhead isalmost independent of k because they do not have torespond to the request from the BS.

6.3. Energy consumption

Finally, we study the energy consumption for our intru-der identification algorithm. As mentioned, we assume thatthe BS has high-enough computation and battery power;hence, we mainly focus on the energy consumption in theindividual sensors. It is related to both the transmissioncost for request and response messages and the computa-tion cost for encrypting messages. Table 3 shows a typicalenergy consumption for a sensor node, as adapted from[16,35].

Fig. 16 shows the average energy consumption for ouralgorithm at each single node as a function of its hopcounts to the BS. It can be seen that the consumptionmonotonically decreases with increasing the hop count.This is consistent with the data in Table 3 and the resultfrom the previous section; basically, the communicationoverhead is the dominated one, and the computation partis less than 5% in the total consumption. In addition, sim-ilar to the previous experiments, applying redundant pathsconsumes more energy, as seen in the curve for k = 2.

Nonetheless, the energy consumption for our intruderdetection algorithm is indeed lightweighted. For example,consider a sensor node equipped with two 3 V 1.2 Amp-Hour batteries [36,37]. The total energy available at thisnode is Et = 7.2 VÆAÆHour, which translates into 2000 lJ.Hence, the node needs to spend only a minor portion ofthe available energy for intruder identification throughoutits lifetime.

7. Conclusion and future work

In this paper, we presented an effective method for iden-tifying sinkhole attacks in a wireless sensor network. Thealgorithm consists of two steps: It first locates a list of sus-pected nodes by checking data consistency, and then iden-tifies the intruder in the list through analyzing the networkflow information. We also presented a series of enhance-ments to deal with cooperative malicious nodes that inter-fere the detection algorithm and attempt to hide the realintruder.

The performance of the proposed algorithm was exam-ined through simulations. The results demonstrated theeffectiveness and accuracy of the algorithm. They also sug-gested that its communication and computation overheadsare reasonably low for wireless sensor networks. Therecould be many future directions toward enhancing thiswork; in particular, we are working on more effective statis-tical methods for identifying data inconsistency, which willfacilitate our algorithm to precisely locate the suspectednodes in sinkhole attacks.

Acknowledgements

The work described in this paper was substantially sup-ported by grant from the Research Grants Council of theHong Kong Special Administrative Region, China (ProjectNo. CUHK4205/04E). J. Liu’s work was supported in partby a Canadian NSERC Discovery Grant 288325, anNSERC Research Tools and Instruments Grant, a CanadaFoundation for Innovation (CFI) New OpportunitiesGrant, and an SFU President’s Research Grant.

References

[1] C. Karlof, D. Wagner, Secure routing in sensor networks: attacks andcountermeasures, in: Proceedings of the 1st IEEE Workshop onSensor Network Protocols and Applications, May 2003, pp. 1–15.

[2] A.D. Wood, J.A. Stankovic, Denial of service in sensor networks,IEEE Computer 35 (2002) 54–62.

[3] C. Karlof, N. Sastry, D. Wagner, Tinysec: a link layer securityarchitecture for wireless sensor networks, in: Proceedings of the 2ndInternational Conference on Embedded Networked Sensor Systems,2004, pp. 162–175.

[4] A. Perrig, R. Szewczyk, J.D. Tygar, V. Wen, D.E. Culler, Spins:security protocols for sensor networks, Wireless Network Journal 8(2002) 521–534.

[5] A. Silva, M. Martins, B. Rocha, A. Loureiro, L. Ruiz, H. Wong,Decentralized intrusion detection in wireless sensor networks, in:Proceedings of the 1st ACM International Workshop on Quality


of Service & Security in Wireless and Mobile Networks, 2005, pp.16–23.

[6] B.J. Culpepper, H.C. Tseng, Sinkhole intrusion indicators in DSRMANETs, in: Proceedings of BroadNets ’04, October 2004, pp. 681–688.

[7] H. Deng, W. Li, D.P. Agrawal, Routing security in wireless ad hocnetworks, IEEE Communications Magazine 40 (2002) 70–75.

[8] C. Intanagonwiwat, R. Govindan, D. Estrin, Directed diffusion: Ascalable and robust communication paradigm for sensor networks, in:Proceedings of MobiCom ’00, Aug 2000, pp. 56–67.

[9] F. Ye, A. Chen, S. Lu, L. Zhang, A scalable solution to minimum costforwarding in large sensor networks, in: Proceedings of ICCCN ’01,Oct 2001, pp. 304–309.

[10] D. Braginsky, D. Estrin, Rumour routing algorithm for sensornetworks, in: Proceedings of the WSNA ’02, September 2002, pp.22–31.

[11] J. Hubaux, L. Buttyan, S. Capkun, The quest for security in mobilead hoc networks, in: Proceedings of ACM MobiHoc ’01, October2001, pp. 146–155.

[12] A.A. Pirzada, C. McDonald, Secure routing protocols for mobile ad-hoc wireless networks, in: T.A. Wysocki, A. Dadej, B.J. Wysocki(Eds.), Advanced Wired and Wireless Networks, Springer, 2004.

[13] F. Delgosha, F. Fekri, Key pre-distribution on wireless sensornetworks using multivariate polynomials, in: Proceedings of SECON’05, September 2005, pp. 118–129.

[14] J. Deng, R. Han, S. Mishra, INSENS: intrusion-tolerant routing forwireless sensor networks, Elsevier Computer Communications 29(2006) 216–230.

[15] E. Shi, A. Perrig, Designing secure sensor networks, IEEE WirelessCommunications 11 (2004) 38–43.

[16] A. Perrig, R. Szewczyk, V. Wen, D. Culler, J.D. Tygar, SPINS:security protocols for sensor networks, in: Proceedings of MobiCom’01, July 2001, pp. 189–199.

[17] D.E. Denning, An intrusion detection model, in: Proceedings of theIEEE Symposium on Security and Privacy, 1986, pp. 118–131.

[18] Y. Zhang, W. Lee, Intrusion detection in wireless ad-hoc networks,in: Proceedings of MobiCom ’00, August 2000, pp. 275–283.

[19] Y. Huang, W. Lee, A cooperative intrusion detection system for adhoc networks, in: Proceedings of SASN ’03, October 2003, pp. 135–147.

[20] A.A. Pirzada, C.S. Mcdonald, Circumventing sinkholes and worm-holes in ad-hoc wireless networks, Proceedings of InternationalWorkshop on Wireless Ad-hoc Networks, London, England, KingsCollege, London, 2005.

[21] Y.-C. Hu, A. Perrig, D.B. Johnson, Packet leashes: a defense againstwormhole attacks, in: Proceedings of INFOCOM ’05, March 2005,pp. 1976–1986.

[22] S.S. Doumit, D.P. Agrawal, Self-organized critically & stochasticlearning based intrusion detection system for wireless sensornetworks, in: Proceedings of MILCOM ’03, October 2003, pp.609–614.

[23] A.D. Wood, J.A. Standovic, S.H. Son, JAM: A jammed-areamapping service for sensor networks, in: Proceedings of RTSS ’03,December 2003, pp. 286–297.

[24] J. Staddon, D. Balfanz, G. Durfee, Efficient tracing of failed nodes insensor networks, in: Proceedings of WSNA ’02, September 2002, pp.122–130.

[25] M. Ding, D. Chen, K. Xing, X. Cheng, Localized fault-tolerant eventboundary detection in sensor networks, in: Proceedings of INFO-COM ’05, March 2005, pp. 902–913.

[26] F. Ye, H. Luo, S. Lu, L. Zhang, Statistical en-route filtering ofinjected false data in sensor networks, in: Proceedings of INFOCOM’04, March 2004, pp. 2446–2457.

[27] L. Lazos, R. Poovendran, C. Meadows, P. Syverson, L.W. Chang,Preventing wormhole attacks on wireless ad hoc networks: a graphtheoretic approach, in: Proceedings of WCNC ’05, March 2005,pp.1193–1199.

[28] L. Hu, D. Evans, Localization for mobile sensor networks, in:Proceedings of MobiCom ’04, September 2004, pp. 45–57.

[29] D. Wagner, Resilient aggregation in sensor networks, in: Proceedingsof SASN ’04, October 2004, pp. 78–87.

[30] N. Ye, Q. Chen, An anomaly detection technique based on a chi-square statistic for detecting intrusions into information systems,Quality and Reliability Engineering International 17 (2001)105–112.

[31] M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions formessage authentication, in: Neal Koblitz (Ed.), Advances inCryptology CRYPTO ’96. vol. 1109, of Lecture Notes inComputer Science, Springer-Verlag, Berlin Germany, 1996, pp.1–15.

[32] D. Liu, P. Ning, Establishing pairwise keys in distributed sensornetworks, in: Proceedings of CCS ’03, October 2003, pp. 52–61.

[33] P. Ganesan, R. Venugopalan, P. Peddabachagari, A. Dean, F.Mueller, M. Sichitiu, Analyzing and modeling encryption overheadfor sensor network nodes, in: Proceedings of WSNA ’03, September2003, pp. 151–159.

[34] S. Zhu, S. Setia, S. Jajodia, LEAP: efficient security mechanisms forlarge-scale distributed sensor networks, in: Proceedings of CCS ’03,October 2003, pp. 62–72.

[35] W.B. Heinzelman, A. Chandrakasan, H. Balakrishnan, An appli-cation-specific protocol architecture for wireless microsensor net-works, IEEE Transactions on Wireless Communications 1 (2002)660–670.

[36] MPR/MID User’s Manual, Document 7430-0021-06, Rev. B, Cross-bow Technology, Inc., April 2005.

[37] R. Jurdak, C.V. Lopes, P. Baldi, Battery lifetime estimation andoptimization for underwater sensor networks, IEEE Sensor NetworkOperations (2004).

Edith C. H. Ngai received her B.Eng. degree inComputer Engineering and M.Phil. degree inComputer Science and Engineering from TheChinese University of Hong Kong in 2002 and2004, respectively. She is currently a Ph.D. can-didate in the Computer Science and EngineeringDepartment of The Chinese University of HongKong. Her research interests include mobile adhoc networks, wireless sensor networks, networksecurity, network protocol and algorithm design,and video information processing. She is a stu-dent member of IEEE.

Jiangchuan Liu received the B.Eng. degree (cumlaude) from Tsinghua University, Beijing, China,in 1999, and the Ph.D. degree from The HongKong University of Science and Technology in2003, both in computer science. He is currentlyan assistant professor in the School of Comput-ing Science, Simon Fraser University, BC, Can-ada, and was an assistant professor at TheChinese University of Hong Kong from 2003 to2004. His research interests include Internetarchitecture and protocols, media streaming,

wireless ad hoc networks, and service overlay networks. He serves as TPCmember for various international conferences, including IEEE INFO-
COM and IWQoS. He was Information System Co-Chair for IEEEINFOCOM’04, and a guest-editor for ACM/Kluwer Journal of MobileNetworks and Applications (MONET), Special Issue on Energy Con-straints and Lifetime Performance in Wireless Sensor Networks. He is aneditor of IEEE Communications Surveys and Tutorials. He is a member ofIEEE and ACM, and an elected member of Sigma Xi.


Michael R. Lyu received the B.S. (1981) in elec-trical engineering from National Taiwan Uni-versity, the M.S. (1985) in computer engineeringfrom University of California, Santa Barbara,and the Ph.D. (1988) in computer science fromUniversity of California, Los Angeles. He is aProfessor in the Computer Science and Engi-neering Department of the Chinese University ofHong Kong. He worked at the Jet PropulsionLaboratory, Bellcore, and Bell Labs; and taughtat the University of Iowa. His research interests

include software reliability engineering, software fault tolerance, distrib-uted systems, image and video processing, multimedia technologies, and
mobile networks. He has published over 200 papers in these areas. He hasparticipated in more than 30 industrial projects, and helped to develop
many commercial systems and software tools. Professor Lyu was fre-quently invited as a keynote or tutorial speaker to conferences andworkshops in U.S., Europe, and Asia. He initiated the InternationalSymposium on Software Reliability Engineering (ISSRE), and was Pro-gram Chair for ISSRE’1996, Program Co-Chair for WWW10 andSRDS’2005, and General Chair for ISSRE’2001 and PRDC’2005. He alsoreceived Best Paper Awards in ISSRE’98 and in ISSRE’2003. He is theeditor-in-chief for two book volumes: Software Fault Tolerance (Wiley,1995), and the Handbook of Software Reliability Engineering (IEEE andMcGraw-Hill, 1996). He has been an Associate Editor of IEEE Trans-actions on Reliability, IEEE Transactions on Knowledge and DataEngineering, and Journal of Information Science and Engineering. Pro-fessor Lyu was elected to IEEE Fellow (2004) and AAAS Fellow (2007)for his contributions to software reliability engineering and software faulttolerance.

an eﬃcient intruder detection algorithm against sinkhole ...user.it.uu.se/~eding810/journals/an...

Documents